Network Policy Conditions Properties

  • Article

Applies To: Windows Server 2008

Network policy conditions

Every network policy must have at least one configured condition. NPS provides many conditions groups that allow you to clearly define the properties that the connection request received by NPS must have in order to match the policy.

The available condition groups are:

  • Groups

  • HCAP

  • Day and time restrictions

  • Network Access Protection

  • Connection properties

  • RADIUS client properties

  • Gateway

Groups

Groups conditions specify user or computer groups that you configure in Active Directory Domain Services (AD DS) and to which you want the other rules of the network policy to apply when group members attempt to connect to the network.

  • Windows Groups

    Specifies that the connecting user or computer must belong to one of the specified groups.

  • Machine Groups

    Specifies that the connecting computer must belong to one of the specified groups.

  • User Groups

    Specifies that the connecting user must belong to one of the specified groups.

HCAP

Host Credential Authorization Protocol (HCAP) conditions are used only when you want to integrate your NPS Network Access Protection (NAP) solution with Cisco Network Admission Control. To use these conditions, you must deploy Cisco Network Admission Control and NAP. You must also deploy a HCAP server running both Internet Information Services (IIS) and NPS. For more information, see Host Credential Authorization Protocol.

Following are the HCAP conditions you can configure in network policy.

  • Location Groups

    Specifies the user's or computer's HCAP location group membership required to match this policy.

  • HCAP User Groups

    Specifies the user's HCAP user group membership required to match this policy.

Day and time restrictions

  • Day and Time Restrictions

    Allows you to specify, at a weekly interval, whether connections are allowed or denied on a specific set of days and times.

    For example, you can configure this condition to allow access to your network only between the hours of 8 A.M. and 5 P.M. Monday through Thursday. With this condition value, users whose connection requests match all conditions of the network policy cannot connect to the network on Fridays, Saturdays, Sundays, and during other weekdays between the hours of 5 P.M. and 8 A.M., but they can connect between Monday and Thursday between 8 A.M. and 5 P.M.

    Conversely, you can specify the days and times when connections to the network are denied. If you specify days and times when connections are denied, users are allowed access to your network on the unspecified days and times. For example, if you configure this condition to deny connections all day on Sunday, users cannot connect at any time on Sundays, but they can connect Monday through Saturday at any time.

    To configure the Day and Time Restrictions condition, obtain the properties of a network policy, click the Conditions tab, and then click Add. Scroll to and click Day and Time Restrictions, and then click Add. In Time of day constraints, click Permitted, click the grid pattern of days and times, and then use your mouse to select the days and times that you want to specify.

Note

You can designate specific days and times when network access is allowed only if you select Permitted. If you select Denied, network access is always denied.

Network Access Protection

Following are the NAP conditions that you can configure in network policy.

  • Identity Type

    Used for NAP DHCP and IPsec deployments to allow client health checks in circumstances where NPS does not receive an Access-Request message that contains a value for the User-Name attribute; in these circumstances, client health checks are performed but authentication and authorization are not performed.

RADIUS Access-Request messages typically include the User-Name attribute, which allows NPS to authenticate and authorize a connection request. When a value for the User-Name attribute is absent, NPS provides a default user name.

However, for scenarios such as NAP enforcement with DHCP or IPsec, where a client health check occurs without authentication or authorization (such as when a DHCP client renews an IP address lease) the User-Name attribute is not present and NPS does not provide a default user name.

When NPS receives a request for a client health check that does not include the User Name attribute and the Identity Type condition is configured with a value of Computer health check, the request matches the policy and, if all other conditions and constraints configured in the policy are also matched, the policy settings are applied.

In addition, in network policy constraints, you can enable the Perform machine health check only authentication method setting.

For more information, see Enable Client Health Checks for DHCP and IPsec NAP Deployments.

  • MS-Service Class

    Restricts the policy to clients that have received an IP address from a DHCP scope that matches the specified DHCP profile name. This condition is used only when you are deploying NAP with the DHCP enforcement method. To use the MS-Service Class attribute, in Specify the profile name that identifies your DHCP scope, type the name of an existing DHCP profile.

  • Health Policies

    Restricts the policy to clients that meet the health criteria specified in the health policy. For example, you might have two Health Policies that you have configured using the Windows SHV -- one health policy created for circumstances where client computers pass all health checks and one policy created for circumstances where client computers fail all health checks specified in the Windows SHV. If you select the health policy that designates that all client computers must pass all health checks, the SoH sent to NPS from NAP agent on the client computer must state that the client passed all health checks required by the Windows SHV in order for the conditions of the network policy to be met.

  • NAP-Capable Computers

    Restricts the policy to either clients that are capable of participating in NAP or clients that are not capable of participating in NAP. This capability is determined by whether the client sends a SoH to NPS.

  • Operating System

    Specifies the operating system (operating system version or service pack number), role (client or server), and architecture (x86, x64, or ia64) required for the computer configuration to match the policy.

  • Policy Expiration

    Specifies when the network policy expires; after the expiration date and time that you specify, the network policy is no longer evaluated by NPS. This condition is useful for circumstances where the network policy is designed with the NAP Enforcement setting that allows client computers full network access for a limited time. At the same time that the NAP Enforcement time setting expires, the network policy can also expire. In this circumstance, you should create a second network policy that enforces NAP after the expiration time of the first policy.

Connection properties

Following are the connection properties that you can configure in network policy.

  • Access Client IPv4 Address

    Specifies the IPv4 address of the access client that is required to match the conditions of the policy.

  • Access Client IPv6 Address

    Specifies the IPv6 address of the access client that is required to match the conditions of the policy.

  • Authentication Type

    Specifies the authentication methods that are required for the connection request to match the network policy.

  • Allowed EAP Types

    Specifies the EAP types that are required in order for the authentication method used by the client computer to match this policy. This condition is useful when connection request policy is configured with authentication. When authentication is configured in connection request policy, the authentication settings in network policy are overridden; however the use of the Allowed EAP Types condition causes NPS to verify the authentication method being used; if the specified EAP type is not being used, NPS does not use the network policy for authorization and continues to seek a policy whose conditions match the connection request.

  • Framed Protocol

    Restricts the policy to clients that specify a certain framing protocol for incoming packets, such as PPP or SLIP.

  • Service Type

    Restricts the policy to only clients specifying a certain type of service, such as Telnet or Point to Point Protocol connections.

  • Tunnel Type

    Restricts the policy to only clients that create a specific type of tunnel, such as PPTP or L2TP. The Tunnel Type attribute is typically used when you deploy virtual local area networks (VLANs). For more information, see VLAN Attributes Used in Network Policy.

RADIUS client properties

Following are the RADIUS client conditions that you can configure in network policy.

Important

Client computers, such as wireless portable computers and other computers running client operating systems, are not RADIUS clients. RADIUS clients are network access servers—such as wireless access points, 802.1X-capable switches, virtual private network (VPN) servers, and dial-up servers—because they use the RADIUS protocol to communicate with RADIUS servers such as Network Policy Server (NPS) servers.

  • Calling Station ID

    Specifies the network access server telephone number that was dialed by the dial-up access client.

  • Client Friendly Name

    Specifies the name of the RADIUS client that forwarded the connection request to the NPS server.

  • Client IPv4 Address

    Specifies the Internet Protocol (IP) version 4 address of the RADIUS client that forwarded the connection request to the NPS server.

  • Client IPv6 Address

    Specifies the Internet Protocol (IP) version 6 address of the RADIUS client that forwarded the connection request to the NPS server.

  • Client Vendor

    Specifies the name of the vendor or manufacturer of the RADIUS client that sends connection requests to the NPS server.

  • MS RAS Vendor

    Specifies the vendor identification number of the network access server that is requesting authentication.

Gateway

Following are the gateway properties that you can configure in network policy.

  • Called Station ID

    Allows you to specify the phone number of the network access server that sent the connection request to NPS. If you specify a NAS phone number and NPS receives a connection request from a NAS with a different phone number, the conditions of the policy are not met.

  • NAS Identifier

    Allows you to specify the name of the network access server that sent the connection request to NPS. If you specify a NAS name and NPS receives a connection request from a NAS with a different name, the conditions of the policy are not met.

  • NAS IPv4 Address

    Allows you to specify the IPv4 address of the network access server that sent the connection request to NPS. If you specify a NAS IPv4 address and NPS receives a connection request from a NAS with a different IPv4 address, the conditions of the policy are not met.

  • NAS IPv6 Address

    Allows you to specify the IPv6 address of the network access server that sent the connection request to NPS. If you specify a NAS IPv6 address and NPS receives a connection request from a NAS with a different IPv6 address, the conditions of the policy are not met.

  • NAS Port Type

    Allows you to specify the type of media used by the client computer to connect to the network. For example, if you specify Ethernet, the client computer must be accessing the network over the media type of Ethernet. If you specify a media type and the client computer is connecting to the network over a different media type, the conditions of the policy are not met. For example, if the designated media type is Wireless - IEEE 802.11 and the client computer is attempting to connect to the network with a media type of Virtual (VPN), the conditions of the policy are not met.